I am very new to SPLUNK, If some one could help me on 2 issues I am having with Deploying Splunk for Active Directory Auditing.
some background of the Environment is = Windows 2012 Standard, Active Directory Forest and domain levels are 2008,
Auditing is turned on and logged in security logs in each domain controller, have about 100 domain controllers.
Splunk version is Splunk Enterprise 6.5.3.
Issue#1- Having issue installing splunkforwarder-6.5.3-36937ad027d4-x64-release.msi on windows 2012 standard domain controller. The installer starts normal, key in Splunk IP Address etc, copy file progress to about 75% and stops for ever. while installer is frozen for long itme, I see Splunkforwarder Service can be seen but not started I can start it. All looks normal, can see client registered in the splunk server. But as soon as the domain controller is rebooted, the Universal Forwarder gets Uninstalled. Bin directory empty and Splunkforwarder service throw error "cannot start fine not found.
This version should be supported on windows 2012 and windows 2012 R2.
I find multiple documents for Splunk for Active directory Auditing, Can some one point me to right one?
Thanks a lot
Thanks for your reply: I managed to get around the Forwarder install issue by using this command line install
msiexec.exe /i splunkforwarder-6.5.3-36937ad027d4-x64-release.msi /l*v splunkF.log
So for AD Auditing, we have appropriate Group policy Auditing turned on and we get that in Security event logs. We like to collect the AD Security logs which will help us to search, Active directory Auditing, who access, deleted, added to group ETC. Forwarding Event logs from a installed Forwarder is one thing but I am not clear how Splunk Add on for Active Directory OR Splunk App for Active Directory
play role in Active Directory Auditing. If I could only have one solid support document how to Audit your Active Directory Environment by Splunk that would be great.
when enabling the [admon://default]inputs stanza, you will collect AD data to splunk.
when enabling the [WinEventLog://Security] inputs stanza, you will collect the security logs
these stanzas are in the inputs.conf file in the TA's (AD and windows)
place these apps on forwarders to collect data, on indexers to create the correct indexes for logs, and on search heads for search time field extractions and knowledge objects.
now when you have all the data you need, create searches. here is a small sample search that will return created accounts in AD:
sourcetype=WinEventLog:Security object_category="user" msad_action="created" | eval CreatedBy = mvindex(Security_ID,0) | table _time user CreatedBy ComputerName
will leave the forwarder issue for now and focus on the AD audit.
From little experience, i would advise to take a step back and first ask yourself, what is it that you want to audit.
then, will install the add-on following steps described here: http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ConfigureActiveDirectoryauditpolicy
now that you verified you have the data and you know the questions you have for this data, you can look if there are prebuilt reports and dashboards that answer those questions, or create your own.
hope it helps